Feeling Wanted Can Help to Close the Sale

At my house we are in the throes of college selection for my high school senior. It has been an amazing experience and reminds me of a valuable sales lesson.

My son applied to six colleges on the advice of his guidance counselor. They are six schools he had determined might be a good fit for him and his area of study.

It says nothing about the schools that have been passionately courting him. Schools he didn’t consider have been trying to gain his interest as well. The schools that were courting him and the schools that accepted him have something in common - the approach they use to close the sale.

Closing the Sale by Feeling Wanted

The Courters

These are schools that have seen my sons records and would like him to attend their school. They write, they call, they have students call, and they invite him to events.They do just about everything they can think of to let him know they value him and want him as a student/client. They even reached out to us, his parents.

You see, if we are aware of how much they value our son - maybe we’d work on him from our end.

The Accepters

These are the schools that sent him acceptance letters. Well, actually, some of the schools called him or texted him to congratulate him on his acceptance.

They are so excited to welcome him to their school and they are sharing that excitement with him.

Talk About Feeling Wanted!

We can learn a lot about sales from this experience.

Prospective clients want to know that you really value them. That you want to do business with THEM. It isn’t enough to have a basic structure to your sales process. You have to create a plan that really highlights how much you want to do business with them specifically.

When a prospect feels like they matter to you, it changes the way they view a potential relationship with you. So, how can you:

  • Create an environment that celebrates prospective clients?
  • What can you do to let them know that they are valued and they matter to you?
  • Once they become a client, how can you clearly acknowledge the importance to you that they have trusted you to help them solve their problem?

Now is the time to create a program that you can launch and implement consistently. You can always adapt and adjust your plan as you roll along and learn more about those prospects and clients.

What would make them feel special?

Remember, it’s about them, not you. Developing a program that has an impact on them is the one that will make the most difference to your bottom line.



VerticalResponse Moves to Drag and Drop, Adds Freemium

vertical response

It may be surprising to hear a successful email marketing company say it, but Jenine Popick, Founder and CEO of VerticalResponse Marketing admits the main product her company has been selling to small businesses for the last 13 years has had its day.

So when the company decided on an upgrade, they came to the conclusion that they would be better off just going back to the drawing board. Popick told Small Business Trends recently:

“Because we’ve been around so long, we just listened to what our customers wanted.”

Acquired in 2013 by Deluxe, VerticalResponse Marketing has designed a totally new platform that brings in some new ideas, too.

One of the biggest changes is the addition of simple drag and drop controls. They let you add photos, text and even social media buttons to your newsletter, thank you, invitation, or sale announcement.

VR Drag and Drop Email Design Tool

Another new idea is a freemium version. For the first time, it allows small businesses with fewer than 1,000 email contacts to get started with an account free of charge.

In the previous version of VerticalResponse, Popick says users could have a trial period using the software. But after that, even the smallest businesses were expected to start paying for the service.

Popick sees the new freemium version as a kind of marketing tool. She explains:

“We’re hoping you’ll tell a friend.”

Also, as small businesses using VerticalResponse expand, the company hopes they will upgrade to the paid version of the service.

There are three basic pricing tiers:

  • At the free level, users can have up to 1,000 email contacts, send a maximum of 4,000 email messages per month and can link one Facebook and one Twitter account to the platform.
  • At the Basic level, users can connect up to three social media accounts, send an unlimited number of emails per month and pay an introductory cost of $8.80 per month for up to 500 email contacts. (Prices increase with the number of email contacts on your list.)
  • At the Pro level, users can connect up to six social media accounts, send an unlimited number of emails per month and pay an introductory cost of $12.75 per month for up to 500 email contacts. (Again, prices increase the more email contacts your business has.)

The new version of VerticalResponse also lets you share and schedule email and social media up to a month ahead of time.

VR Schedule Email Panel

Controls for both email and social media are located in one dashboard. This is unlike the older software which had email and social media controls in two separate parts of the program.

It is also the first time the company has offered responsive design on all its content. This is so that newsletters, invites and other updates you generate will look the right way whether displayed on a laptop, tablet or mobile phone. The platform offers 50 responsive templates to choose from when designing your emails and social media posts.

Some less popular features will be leaving, Popick said. One is a feature letting you send paper postcards to your contacts. She says Deluxe has another similar feature for sending postcards that will take this service’s place.

So what about the old product which the company calls VerticalResponse “classic?” VerticalResponse will slowly begin migrating current customers to the new platform over the next year.



15 Top Websites for Entrepreneurs and Small Businesses

top resource websites for entrepreneurs and small businessesYou’ve decided to start a business. Simple, right? Maybe not. Starting a business involves so much more than just providing your service or product to the market. There’s marketing, accounting, web design - so many aspects that it’s tough for any individual to truly understand everything involved. From best practices to current technology to sorting through what services and software you need, there is an endless amount of decisions to be made. Where can you turn to discover what you truly need to know? Try one of these 15 top resource websites for entrepreneurs and small businesses.

There is no end to the number of websites offering advice and information to entrepreneurs and small businesses. That’s a great thing for anyone starting a small business! To save time and make searching for the sites that are most helpful less painful, we have compiled a list of top resource websites that are dedicated to helping entrepreneurs and small businesses by providing relevant and resourceful information they need.



Patching: the unlocked door

With Windows XP fast approaching its end-of-support deadline, many firms are going to be at risk of attack, reports Kate O'Flaherty.

The threat from unpatched systems is vast and if Microsoft goes ahead with ending support for Windows XP on April 8, thousands of machines are about to be open to attack.

Many firms have proven to be oblivious to the planned changes and are still to upgrade. And this is a huge number. According to figures from Statcounter.com, as of December 2013, the number of XP users was 18 percent of the global operating systems market.

In the UK, this is just over eight percent. But many in the industry believe this figure could reach across organisations, with isolated legacy machines running XP forming a weak entry point for attack.

This is supported further by recent VMware research, which shows 94 percent of UK organisations had not completed a full migration, with only a third confident they would upgrade in time.

Windows XP end of life has been a long time coming: Microsoft announced it would drop support for the much-used operating system in April 2012, giving users two years to upgrade.

But even with January's announcement of an extension - until at least July 2015 -  to anti-virus signatures and security scanning from Security Essentials, upgrading is not going to be an easy task: The cost of new hardware, as well as software applications, is huge. Worse still, the expense will get even bigger for companies which continue to use the operating system this year, with Microsoft hiking support prices to around £120 per PC after April 8.

On top of this, the malware written for XP is now rising as attackers realise the potential rewards. Initially the amount of new malware for XP decreased towards the end of life, says Gary Owens, EMEA senior product marketing manager at VMware. “However, now organisations that make malware have noticed people aren't upgrading and there has been a significant increase.”

Security Essentials

The figures on XP users could also be much higher than estimated. Andrew Mason, co-founder and technical director of RandomStorm, told SC Magazine UK that more than 50 percent of his firm's customers are still using XP.

And judging from its January announcement of support for Security Essentials on XP until 2015, Microsoft also deems this risk to be significant. The move will see the software giant supply anti-malware signatures for Windows XP, but it does not mitigate the risks.

When Windows XP's end of life passes in April 2014, there will be no more security updates, no fixes and no new patches, Tim Rains, director at Microsoft's Trustworthy Computing, tells SC Magazine UK.

Additionally, users will not be able to download and install Security Essentials after April this year.

“The return on investment of running XP has been really good, but it's time to move on,” Rains says. “Attackers are now having more success on XP.”

Between July 2012 and 2013, Microsoft released 45 security updates for Windows 7 and Windows 8, with 30 of those patches also affecting XP. “Attackers will wait for us to release security updates and then they will test to see if those vulnerabilities exist on XP, and then they write exploit codes for it,” says Rains. “Over time, XP will become less and less secure.”

XP users can also install anti-virus products from third-party vendors, but these will not form a long-term solution. Rains warns: “To run anti-virus on XP is like building a house on top of quicksand. It will become less effective as the platform isn't being updated.”

The move by Microsoft to extend basic security support is not lacking in value, says David Emm, senior security researcher at Kaspersky. “But you can only patch a pair of trousers for so long before you need a new pair.”

And after April, every loophole is going to be a zero-day exploit, warns Emm.

Laurie Mercer, a senior consultant at technical consultancy company Context Information Security, agrees. “There will be zero-day bugs. Last week, there was one and it was fixed, but once support for XP runs out it won't be. It's like leaving the door of your house open.”

Microsoft's Rains says the most common attack is the drive-by download, which also uses unpatched vulnerabilities. “This is why after the end of support for XP, people can get compromised just by visiting a web page,” he warns.

Additionally, many firms are compromising themselves further by running obsolete software on top of XP. Mercer says he has seen big companies using Internet Explorer 6. “They're using apps that only support Explorer 6. These can be things like HR, but I have seen standard builds with IE6.”

Other experts have seen similar situations, even in large firms. “I have seen a Windows XP machine that was unpatched and it was compromised in 15 minutes,” says Andrew Lambert, senior consultant, infrastructure technology at Waterstons.

So what can be done to mitigate the risks? Lambert advises firms with some machines still running XP to make sure they have them patched until April 8. “Ideally you want to upgrade, but there are things you can do,” he says. “You must make sure systems are patched as far as they can be and that they cannot infect anywhere else. XP machines should be isolated from the rest of the network. You can create a firewall or a separate network. If the PC is really old, you could disconnect it all together.”

But protection does not just stop at XP. Microsoft recently announced that it will only be a year until Windows 7 goes into extended support mode, with end of life coming up in 2020. Microsoft has two agendas, says James Lyne, global head of security research at Sophos. Security patching and trying to encourage regular transition to new operating systems.

“Microsoft is trying to get regular transition like Apple and like the mobile market,” he says. “It is both a business strategy and a security strategy.”

A risky business

As a multitude of new operating systems enter the workplace, patching is the most basic yet integral form of mitigating attack, experts agree. In 2013, there were huge increases in malware and this is set to get worse, Lyne says. “This leveraged old, known vulnerabilities for which a patch exists. The malware distribution market is empowered by people that don't patch. New features and code changes introduced quickly means it's harder for enterprises to test.”

The risk of a compromised XP machine is made worse by the fact that an infection on the operating system is “really difficult” to deal with, says Sean Sullivan, security advisor at F-Secure. “So it's about preventing attack.”

But it is not just down to Microsoft to protect XP. Other software providers need to prepare as well. While some are already doing this, Oracle's latest version of Java will no longer run by default in XP.

“I think you have to worry about the commoditised stuff,” says Sullivan. “A hospital in Finland recently got compromised by a bot. People were concerned about data, but it was just an opportunity attack. In the short term, we will see a lot of attacks with things that clog up the networks.”

Adding to the challenge is the fact that Windows XP does not just appear in PCs - much furore has emerged over its use in cash machines. However, these use an embedded version and security in this instance is done in a different way. These units are not connected to a network. To compromise one, attackers must use physical means, such as a CD or USB.

Instead, the risk might be bigger in the Windows XP version that often turns up on point-of-sale (PoS) terminals, which can then be used to compromise a network. This is because many point-of-sale machines running XP are linked into accounting systems and to a data centre, says Mercer. “If you are an attacker, you will go in via the XP machine and reach the other machines,” he says. “You are able to take complete control. It's a way of leveraging. You go for the weakest link in the chain and that's XP.”

Also, any device that handles credit card information will no longer be compliant with the Payment Card Industry (PCI) standards after April, as it will fail the “obsolete software” requirements, says Ross Barrett, senior manager of security engineering at Rapid7. “The biggest challenge will be for businesses with a heavy investment in point-of-sale devices running XP Embedded,” he says. “The recent Target breach in the US shows just what a highly desirable target these devices are.”

Linux: The hidden threat

Windows XP systems are not the only risk on enterprise networks. Another hidden security threat comes in the form of the Linux operating system, which can appear on servers and ‘Internet of Things' devices and be left unpatched for years.

Linux is more complex to set up than Windows and is therefore easier to misconfigure. Despite a reputation for being unbreakable, Linux can still run vulnerable software, says Mercer. “It tends to appear on things like databases and servers. With Linux you find an exploit that allows you to control the computer, and they usually aren't running anti-virus.”

This is partly because the same attention is not paid to Linux. “When you go to most SMEs - a lot of big firms too - most of their security investment in terms of patching and security controls is focused on Windows and Windows servers,” Lyne says. “I can't tell you how many times I have found a collection of Linux servers running a company website or customer database.”

However, there are ways of automating patching with Linux, says Emm, though there is a caveat. “When you get to the point of doing that, you need to look at issues like, What about the software we are installing? Is it secure? Did we change the password? And, once you know, how do you sort out the ongoing maintenance?”

Coping with change

According to Mercer, the key to keeping secure is a combination of patch management and intrusion detection. “The idea is, you want to slow attackers down enough so you can catch them in that time.”

Firms should also have policies in place to make sure devices are patched as regularly as possible. And on top of this, monitor their networks, says Andy Aplin, CTO, Accumuli.

As more users take their own smartphones and tablets into the workplace, adding on network access control means devices are validated before one even goes on the network, Aplin says.

“It comes down to risk management,” says Rains. “Some customers are trying to isolate XP systems. Do they really need internet access? Isolating the network segment not connected to the internet begins to manage the risk of attack.”

But, businesses might have a line of apps on XP so that when they look at migrating it will not be as easy as they thought, says Rains. He advises firms in such a position “to look at things like virtualisation”.

XP computers should be identified and not given full access to the domain, agrees Sullivan. “Smart businesses should think about segregated networks.”

Patching - whether Microsoft-supported or Linux - forms an integral part of any security strategy. Without it, attackers can get easy access to the network, through the weakest link in the chain. And from April 8, that is XP.



Big Data: A big deal?

IT decision makers are leveraging Big Data security analytics tools to serve up more information on threats, reports Doug Drinkwater.

For all the industry buzz about the term “Big Data” few know what it entails. So what exactly is Big Data and how does it impact on everyday information security professionals?

Put simply, it's the term used for describing a collection of data sets so large and complex that they can be difficult to process using existing database management tools and traditional data processing applications. Big Data has often allowed for precisely targeted advertising, or real-time analysis of financial trends, for example.

It's a big business, according to research outfit IDC. The firm has forecast that the market will grow at a 40 percent compound annual growth rate from £1.9 billion in 2010 to £10.3 billion by 2015, and this is perhaps unsurprising when other analysts estimate that as many as 200 billion objects will connect to the internet by 2020.

Big Data is not a hard and fast solution, but rather a piece of technology that is increasingly being entwined with security analytics tools and open-source platforms.

It's easy to see why. These solutions harvest Big Data to enable CISOs and IT managers to extract meaning from exabytes of seemingly meaningless data, across various platforms and devices, and almost in real time, too. It can also help dive back in time to look at the detail of events that have happened in the past, or even attacks that are ongoing, such as advanced persistent threats (APTs).

And whereas a conventional analytics platform may only trigger an alarm after three failed login attempts on a critical platform, Big Data tools can do the same while also stipulating commands based on working hours, the employee's job responsibility and the device being used.

 “At its core, Big Data is about the ability to extract meaning from massive volumes of disparate data,” says Rashmi Knowles, chief security architect for the EMEA at RSA.

That's not to say that IT managers won't face difficulties, however. After all, Big Data chews up more processing power, and requires more scalability and storage than legacy systems. Budgets are more likely to be stretched too by such solutions, and new issues will arise on data storage, especially in relation to how stored data ties in with internal and external compliance.

It's perhaps unsurprising then that this bandwagon remains in its infancy as far as security analytics is concerned. In fact, some industry observers are unsure if Big Data security analytics represents an extension or replacement of the SIEM solutions most often used for controlling compliance, perimeter monitoring and analysing and aggregating logs, albeit after the event.

Most observers do, though, concur that Big Data security analytics is the next level up from the SIEM solutions that are often overrun with data and unable to embrace newer technologies, like domain controllers and proxy servers connecting to the network. One bank reportedly saw the number of its security events grow from 44 billion a month to 65 billion a month in the space of a year.

Meanwhile, some say that companies are customising open-source tools, like Hadoop, for Big Data security analytics purposes, while others argue that Big Data analytics has been around for years - it's only now that meaning can now be derived from the endless flow of data in a matter of minutes.

Whatever the view, the trend looks set to impact security professionals in a meaningful way in the year ahead as the advantages become more widely recognised.

“The reality is that - whether they realise it or not - almost every organisation has already been hacked,” Ashvin Kamaraju, VP of product development at Vormetric, recently told SC Magazine UK.

“In 2014, enterprises must create security measures that assume hackers are already inside the network perimeter,” Kamaraju says. “Using Big Data for security intelligence will not just be a ‘nice to have' but rather a ‘must have' in 2014. Given all the recent data breaches, we are going to see a rush toward the continuous gathering of security intelligence so that anomalous patterns will bubble to the surface quickly and organisations can respond in near real-time to any perceived threats.”

Further, providing intelligence through Big Data analytics can assess risk, detect problems and interrupt users attempting unsafe activities, says RSA's Knowles. “Analysts will be able to conduct deep-dive investigation in a matter of minutes, where it would normally take hours or days, with more context and clarity than before.”

Security and compliance issues

This, of course, isn't the first time that security analytics has cropped up as an issue in light of the emergence of Big Data.

Back in September of last year, the Cloud Security Alliance's own Big Data Working Group released its yearly “Big Data for Security Intelligence” report, a study which outlined how the landscape of security analytics is changing with the introduction of Big Data tools.

“The goal of Big Data analytics for security is to obtain actionable intelligence in real time,” Alvaro Cardenas, lead author of the report, said at the time. “Although Big Data analytics holds significant promise, there are a number of challenges that must be overcome to realise its true potential. We have only just begun, but are anxious to move forward in helping the industry understand its potential with new research directions in Big Data security.”

But, for all the clamour to piggy-back onto Big Data security analytics, there are some hurdles to overcome. There have been concerns over storage and compliance in particular.

Phil Cracknell, who recently left TNT Express to join Company 85 as head of security and privacy services, believes that the move to cloud services is becoming the facilitator for Big Data security analytics. “Big Data security analytics is about all events occurring on one system, and combining seemingly unrelated results into something meaningful,” he recently told SC.

But Cracknell is concerned that the cloud, while enabling the desired scalability, performance, access, speed and low cost, may lack the necessary controls for enterprise to keep data secure. “Analytics tools do need to catch up,” he says. Companies don't have accessibility to controls through Amazon and other cloud providers as part of their service right now, he points out.

The fact is, Big Data security analytics is essentially “SIEM on steroids,” he says, adding that migration from enterprises to private, hybrid and ultimately public cloud will take SIEM to another level.

“We battled for years with disparate systems within our enterprise to get them all reporting to a central location so that we could utilise this combined data, and now the boundaries have moved outwards and that battle is being fought again, but this time across cloud-based platforms,” he says. The only advantage this time is that because of the cloud, these disparate data streams follow a consistent format so that they can interact from a business operations perspective, he adds.

But Cracknell also has concerns about how data is stored. He is especially concerned with the integrity and confidentiality of data. “It shouldn't be concerning, but we have languished behind perimeters for so long that we have forgotten the basics: Protect the data in its most basic component,” he explains. “If data is protected and classified accordingly, the concerns about pushing it to the cloud lessen.”

In the case of data that has been stored for years, he says security pros must ensure that its integrity is intact and that it has not been modified. “That's a massive challenge for providers.”

Cracknell adds that there are blurred lines, too, on just who is responsible for breach notifications, or notifying users in the case of government eavesdropping.

Bob Tarzey, analyst and director at IT security consultancy Quocirca, agrees with Cracknell that data protection could become an issue. “So, for example, telephony operators are expected to keep records of all calls and this data is also confidential and individual records could be of interest to hackers, whereas the geophysical data of an old company may be high in volume but hard to make sense of at a granular level without context.”

The real issue is understanding what is happening to confidential and regulated data in a sea of less important stuff, he told SC. “This is the realm of data loss prevention more than SIEM, although the latter may have a role to play in clean up or prevention of a data leak.”

Sourcefire's chief scientist Zulfikar Ramzan warns though that as the trend is still in its earliest phase, many companies are still working out the capabilities of Big Data in relation to security analytics. “We're still in the early phases,” he says. “This is just the tip of the iceberg. There's a popular misconception that Big Data is a magic wand, but it's not just one model. There may be different solutions to different problems.”

BIG DATA: The big picture

Bob Tarzey, analyst and director at IT security consultancy Quocirca, says there are two elements of Big Data: “Security from Big Data” (i.e., ensuring these huge volumes of business data are treated with appropriate levels of security) and “Security of Big Data” (how such solutions can be used to improve analytics).



The enemy within - beware the insider threat

Being alert to the danger of outside attacks is one thing, but like charity, security begins at home. Expect the unexpected, warns Geoff Sweeney, CTO of Tier-3.

Hackers, viruses and worms may grab all the headlines, but the biggest security threat to your information systems is just as likely to come from an unexpected source, like the accounts clerk with money worries or the disaffected middle-level manager seeking to misappropriate customer details before resigning to move across to the opposition. 

If these thoughts have been keeping you awake at night then you are in good company. Figures from the Department of Trade and Industry show that 52 percent of the most serious threats affecting large organisations originate from inside, and two-thirds of large organisations have suffered from staff misusing their systems.

Yet despite this, most organisations still focus their security spending on protecting themselves from outside attacks, installing anti-virus software and other systems to prevent spam and unwanted intruders from penetrating their networks.

While these systems perform a worthwhile and necessary job, they can only do so much. Anti-virus software, for instance, reacts only to the threats it recognises. Unless a virus has been spotted before, it will pass into the enterprise unnoticed. It's a bit like having a bouncer on a nightclub door who will let in anyone so long as they aren't on his list of banned characters.

And, of course, anti-virus software and intrusion detection systems will do nothing to stop the wrongdoer on the inside who decides, for instance, he would like to sell private information from your customers' files, or snoop sensitive intellectual property.

So, it is time to re-examine the security landscape and to apply some basic risk management principles to target security investment more tightly against the real dangers. What are the potential threats facing the enterprise, how likely are they, what will be their impact and, most importantly, what is the management process for combating these threats? Brief contemplation highlights the potentially broad nature of threats facing the enterprise: They may not be solely from beyond the perimeter or they may be specifically designed to circumvent the protective capabilities of existing rules.

Instead of constantly fire-fighting, we need to build our defences with a view to preventing attacks, and in the worst case, detecting them in real time so we can take immediate action against them and their consequences.

Let's go back to the bouncer on the nightclub door. If he's any good, he not only looks out for known offenders, but he'll spot the people who are behaving badly or look as if they might cause trouble. He will learn to spot situations where trouble is starting and step in before any real damage occurs. And, if there are any arrests and prosecutions, he'll have CCTV footage to record his actions.

It is time we started to take a similar approach with information security. We need to be able to monitor behaviour patterns on our networks and spot inconsistencies before they cause any real problem. Remember that it is always things you don't expect and are unprepared for that will bite you the hardest.

So how do we do it? Well, for a start, we can use the IT equivalent of CCTV footage to record everything that happens on our networks. By logging everything that occurs - from files accessed on a workstation to incoming mail to website activity - we can pull it all together and build a complete history of who did what on all our systems. And like CCTV, it can be filed away for future reference on some storage medium.

With the basic recording in place, we can begin to build models of what is - and what is not - normal or accepted behaviour. So when unusual behaviour occurs, the system can immediately send out an automatic alert and, if necessary, take remedial action.

By monitoring every piece of communication on the network, this approach can help an organisation decide on a baseline for every aspect of normal operational behaviour. And it can learn from experience to finetune the baseline as time goes by.

Such a system can apply intelligence in detecting anomalous behaviour at an early stage and respond quickly. It does not replace anti-virus software or intrusion detection systems, but it adds a vital new dimension to risk management by co-ordinating the various defensive measures to contextualise events as they occur and provide a proper strategic view of information and communications technology (ICT) activity.

And there is another benefit too. The stored record provides a complete audit trail of events, a factor of increasing importance in our ever more regulated commercial world.

In this way organisations can comply not only with the letter of the regulations, but also with the spirit. In other words, they can start to tackle the unknown and previously unseen dangers, as they occur, rather than reacting only to easy targets.

One final point: Organised crime has moved in on the internet and information systems. Identity theft, phishing attacks and denial-of-service attacks have become lucrative new forms of criminal activity, with the chances of detection and prosecution virtually nil.

And the criminals have also worked out that it is far easier to attack an information system from the inside than trying to penetrate from the outside. And that disaffected accounts clerk with money worries could be their perfect accomplice.

Threat management tools are available which can detect anomalies, abnormalities and threats, acting like an army of detectives safeguarding your organisation from any attack - whether external, internal or from a known or unknown vector. You can get on with the day-to-day challenges of your job and trust your threat management detectives to alert you automatically to the few incidents that require your attention.



Out of the bunker: A view from the C-suite

Cyber security can't remain an IT issue. It needs to be addressed and filtered from the C-suite throughout the business, explains Rangu Salgame, CEO of growth ventures at Tata Communications.

Cyber security can't remain an IT issue. It needs to be addressed and filtered from the C-suite throughout the business, explains Rangu Salgame, chief executive officer of growth ventures at Tata Communications.

Government, businesses and consumers have all come under serious threat from cyber criminals over the last 12 months and KPMG has suggested that going forward we will see the most advanced attempts of hacking and cyber crime yet.

A huge boom in the cyber insurance market is expected, on the back of emerging standards. The market will evolve providing businesses with incentives for compliance, whether that is a willingness to insure or reduce premiums. And with many organisations adopting BYOD policies, it is a growing concern that smartphones and tablets have increasingly become a target for cyber criminals.

Couple this with the fact that there are not enough security experts to combat the rising threat and you can see why governments globally are alarmed. In fact, research and consulting firm Frost & Sullivan reports that the number of security professionals globally is about 2.25 million, yet the requirement by 2015 will be 4.25 million. Cyber security is now being reclassified to a tier-one national security priority, signalling that policy-makers are urging action now.

Progress is certainly being made. In an update on the progress of the government's two-year old cyber security strategy, Francis Maude, a Cabinet Office minister, said GCHQ is increasingly looking to British small and mid-sized organisations to recruit staff and increase cyber security expertise. In addition, more than 250 companies have joined the Cyber Security Information Sharing Programme (CISP) which encourages businesses to share problems and expertise in dealing with threats, which is a step in the right direction.

Despite businesses spending heavily to build cyber fortresses over the last 15 years, cyber attacks are still happening, and coming from a multitude of directions - including attacks from cyber criminals (traditional hackers and hacktivists), espionage-type incursions, and data leakage where information is taken from an organisation and purposefully or inadvertently put into the wrong hands.

Given the variety of attacks, all with bespoke motives, cyber security needs to go hand-in-hand with enterprise risk assessment as it can directly affect both operations and the broader brand or reputation of a company, often resulting in significant financial repercussions. What we now realise is that IT security solutions alone are no longer enough. And this takes cyber security out of the realm of being purely an IT department's responsibility and makes it a must-have agenda point for the boardroom table.

Key issues that those on the board must understand are the motives behind potential cyber attacks - what information do the attackers want to glean? Every company is unique. Only when this insight is understood can the right business decisions and investments be made. A comprehensive defence system ultimately comes from an overarching strategy developed by businesses leaders. Now is the time to act.

Think about how you can encourage employees to take responsibility for the protection of their own data. Introduce training programmes to educate your workforce and dispel some of the myths around cyber security. Set up learning sessions to ensure employees are fully aware of the procedures they should be implementing day-to-day when using mobile devices or transferring sensitive information. It may be necessary to bring new talent into the organisation. After all, increasingly tech-savvy younger generations think in a much more integrated way when it comes to using technology in their daily lives. 

The underlying message is that the threat of cyber attacks is increasing and C-suite leaders must not only brace themselves for potential hacks, but also prepare their organisations fully for the eventuality. Ensuring immunity from cyber attacks is almost impossible, but risks can be minimised. We're witnessing a whole new world of communications where the problem of cyber security can no longer sit siloed in the IT department. It must be communicated throughout the organisation.



Windigo malware infects 25,000 Unix servers

Systems administrators urged to take the 'tough medicine' and wipe all affected computers

Security firm ESET has gone public on a cyber crime campaign - ‘Operation Windigo' - that has infected over 25,000 Unix servers worldwide over the past three years, and is daily sending over 35 million spam messages to drive more than 500,000 computers to websites that serve them click-fraud malware and adverts for dating, online gambling and porn websites.

An ESET research team based in Montreal, Canada, and led by security intelligence programme manager Pierre-Marc Bureau has been tracking Windigo since September 2011 and say it is currently infecting 10,000 servers - 25,000 in all over the two-and-a-half years. It has compromised systems in 110 countries, the top five being the US, Germany, France, Italy and the UK.

ESET says: “Many hosting service providers have been completely compromised, including their billing systems.”

Yet the company says Windigo has gone “largely unnoticed by the security community” and is publicising the campaign in a bid to get system administrators to take the threat seriously and clean out their infected computers.

ESET said: “More than half a million visitors to legitimate websites hosted on servers compromised by Windigo are being redirected to an exploit kit every day. The success rate of exploitation of visiting computers is approximately one percent.”

It adds: “The quality of the various malware pieces is high - stealthy, portable, sound cryptography, and shows a deep knowledge of the Linux ecosystem.”

Windigo's main components are the Ebury backdoor, which enables the criminals to access Linux and Unix servers and steal administrator-level SSH credentials; Linux/Cdorked, which they use to redirect web traffic; and Perl/Calfbot, a Perl script used to send spam messages.

Windigo-affected websites typically infect Windows computers with click-fraud malware via an exploit kit, serve Mac users with adverts for dating sites, and redirect IPhone users to pornographic online content.

Organisations known to have been infected by Windigo include cPanel and the Linux Foundation, kernel.org, which went public last year on their compromise.

ESET has so far been unable to trace the criminals behind Windigo, not even their country or region of origin, but believe they are paid by the websites being advertised for their spam output.

Are you part of the problem?

ESET has been struggling to get webmasters and systems administrators to check if they are infected, then take the ‘tough medicine' of wiping all infected computers and re-installing the operating system and software.

ESET security researcher Marc-Étienne Léveillé said: "Sadly, some of the victims we have been in touch with know that they are infected, but have done nothing to clean up their systems - potentially putting more internet users in the firing line."

Pierre-Marc Bureau said that ESET has been spreading information about Windigo for several months through national cyber emergency response teams (CERTs) and notifying victims.

He told SCMagazineUK.com: “We have been telling them, please make sure you clean up. But people didn't believe us because the malware is very stealthy and hard to detect. So we are publishing that servers may be used to send spam or used to redirect web users, to help them to understand the impact and motivate them to clean up.”

Industry expert Brian Honan, head of cyber security specialist BH Consulting, told SCMagazineUK.com via email: “Dealing with Windigo will be a major headache for system administrators. It not only requires the wiping of the server and re-installation of all software, it also includes resetting all passwords and re-issuing fresh SSH keys. This can be a time-consuming exercise. Administrators will also need to consider how their website was breached, be that weak passwords or compromised SSH keys, and ensure that avenue of attack has been closed to the criminals.”

Honan added: “This campaign is a good example as to why you should integrate your security incident response with your business continuity plans. In the event of a compromise that requires a time-consuming rebuild of the affected system, being able to invoke your business continuity plan to enable the business to carry on as normal is essential.”

ESET has published a simple command line that people can use to see if a server is infected:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

Bureau told us: “The first hard thing is to confirm if a server is infected or not, then the even more painful step is to reformat the computer and re-install the system, but it needs to be done as malware controller is the administrator of the server and can do whatever they want.”

Linux and Unix target

More than 60 percent of the world's websites run on Linux servers, and Brian Honan pointed to the significance of these systems being Windigo's target platforms.

He told us: “Traditionally Microsoft Windows platforms have been the primary target for criminals, but Windigo highlights that other platforms such as Unix and Apple are vulnerable to attack too. Those responsible for managing systems need to include all platforms in their security strategy.”

Windigo was named by ESET after a native American demonic creature that eats human flesh - because the malware cannibalises legitimate servers to use them for criminal purposes.

ESET researched Windigo in collaboration with Sweden's national CERT-Bund organisation and other agencies.



9 Things Small Retailers Must Know to Survive and Thrive

The U.S. retail industry is undergoing a sea of change - one that has some small brick-and-mortar retailers reaching for their life vests. How can a small retailer compete in increasingly choppy waters? McKinsey & Company recently identified some key trends reshaping retailing.

Below is a closer look at the ones I think are most relevant to small retail shop owners.

Key Trends Small Retailers Must Know

Retail Growth Will Be Slow

Although the economy is improving, unemployment is still relatively high, and the average consumer’s confidence is low. While many industry forecasts predict U.S. retail growth of 3 to 4 percent annually for the next 5 years (well below the average 5 to 7 percent annual growth pre-2008), McKinsey believes slow retail growth will extend beyond five years to become the “new normal.”

Consumers Have Higher Expectations

The growth of eCommerce and the introduction of mobile commerce (M-Commerce) have raised the stakes. Consumers expect purchasing and returning items to be quick, easy and seamless - no matter where they’re doing it.

Lines Are Blurring Between Retail Sectors

The way convenience and big-box stores are adding fresh food items is just one example of how retailers are eating each other’s lunch by selling products previously not found in their niches.

How Will Small Retailers Survive?

McKinsey identifies three key markets for retailers to target:

Baby Boomers

In the next 10 years, McKinsey says, the 47 million U.S. households headed by people over age 55 will account for the lion’s share of retail spending growth. For instance, they’ll drive 73 percent of housewares growth and 56 percent of apparel growth, thanks to their larger disposable incomes.

Hispanic Consumers

Hispanic consumers’ retail spending is projected to almost double in the next decade. They will be responsible for nearly one-fifth of all U.S. retail spending. Apparel, footwear and children’s products are hot categories for Hispanic shoppers.

Millennial Consumers

Those ages 13 to 30 make up just 15 percent of U.S. consumers, but by 2020 McKinsey says they will account for nearly one-third of total retail spending. Despite tough economic times, in the last five years Millennials’ retail spending has increased by 3 percent annually.

How Can You Attract These Key Retail Shoppers?

Try three of the strategies McKinsey suggests:

Personalize Your Marketing

McKinsey’s research found that for the average consumer, peer recommendations carry 10 times more weight than a salesperson’s recommendation.

Marketing your retail business on social media is a good start, but make sure you’re also encouraging customers to review your store on review and ratings sites, and to share their purchases on Facebook or other social media channels.

Reach out to customers with personalized emails based on past purchasing behaviors, or target offers to social media followers who have liked or shared a product on social media. Despite McKinsey’s data, don’t ignore the power of well-informed and helpful salespeople. Older shoppers, in particular, like to get in-person help from real people. Salespeople who remember them, recall what they like and alert them when new merchandise comes in that they might be interested in.

This all builds customer loyalty.

Think Small

McKinsey says the average retail store’s footprint will shrink in the coming decade as large retailers focus more on eCommerce. Small retailers can benefit from this, too.

A smaller, but more carefully edited and curated store is more likely to succeed than a midsized location with a hodge-podge of items. Make every square foot of space as profitable as you can. Consider retail kiosks or small “pop-up” (temporary) locations as ways to try out new product lines or concepts.

Create an Experience, Not Just a Store

McKinsey notes that the retail environment is becoming increasingly “experiential.” For all three of the demographic groups noted above, brick-and-mortar shopping is a social activity.

If you want your retail business to stand out from the big-box pack, offer unique products, deep knowledge of your products and an experience that is enjoyable and memorable. Whether by adding a refreshment bar to your store, offering in-store tailoring of clothes or holding classes to teach customers how to use the cameras you sell, going above and beyond just making the sale will be key to retail success in the coming years.

Shopping Photo via Shutterstock



BT customer data \'exposed\'claims ICO

BT is being investigated by the UK's privacy watchdog, the Information Commissioner's Office (ICO), over claims that the user names and passwords of millions of its email customers were exposed to hacking.

The ICO launched its inquiry on 13 March based on claims by an unnamed ‘whistleblower' that the credentials of around seven million BT Mail customers “were being compromised by spammers/scammers on a daily basis and that BT was aware of this”, according a BBC report.

The claimed vulnerability came when BT was moving its email customers across from a Yahoo-powered system to one run by Critical Path (now part of Openwave Messaging). The whistleblower is believed to be a former employee of Critical Path.

BT has released a statement admitting there was an issue - without detailing its exact scope - but saying the problem was fixed during testing. It also told the BBC that the unauthorised access problem related to BT Yahoo email accounts. But according to The Register, the whistleblower said user credentials were exposed in clear text during the migration to the Critical Path system.

BT declined to comment on specific claims, but said in a statement to journalists: “BT has been made aware by the ICO that they are conducting an unverified assessment in relation to BT Mail security, a service which is provided by Openwave (formerly Critical Path). BT takes the security of all products very seriously and, in the process of developing new services with partners, we rigorously audit and test for security, and fix any identified issues before going into live service. We believe this unverified assessment of BT Mail relates to an issue identified and fixed as part of our normal testing and development process.”

The ICO is investigating the claims but the possibility that BT/Critical Path left user credentials accessible has drawn industry criticism.

Amar Singh, chair of the Security Advisory Group of industry body ISACA UK, told SCMagazineUK.com: “The worry, if the reports are accurate, is the fact that the user details, including the passwords, were being transmitted and stored in clear text! To me, in today's day and age, that is simply irresponsible and reckless practice. Certain controls, like encrypting data in transit and at rest, must be configured as de facto, a basic requirement, and the fact that the organisation appears to have ignored them makes no sense.”

An ICO spokesperson told SCMagazineUK.com: “On 13 March we wrote to BT with several questions. Our enquiries into this matter are still ongoing and no conclusions have yet been reached.”

While the extent of the problem remains unclear, Amar Singh has advised BT Mail customers to play it safe and “change your password immediately - and remember to use a good password manager”.

He added: “Organisations - risk assess any initiative that involves personal information and always, always use proper and strong encryption for data at rest and for data in-transit.”

BT announced its choice of Critical Path as its consumer email provider in June 2013, providing email, calendar and contacts within the BT portal - as well email anti-virus/anti-spam security services - across desktop, client, webmail and mobile devices.

Critical Path was acquired by Openwave in December 2013.



11 Simple Ways to Protect Your Business After an Employee Exits

What is one way I can protect my business technology/network in the event that an employee exits or is fired suddenly?

The Young Entrepreneur Council (YEC) is an invite-only organization comprised of the world’s most promising young entrepreneurs. In partnership with Citi, YEC recently launched StartupCollective, a free virtual mentorship program that helps millions of entrepreneurs start and grow businesses.

1. Write Clear Standard Operating Procedures

Use a tool such as SweetProcess to gather everyone’s knowledge in the company, so if anyone does leave, you’re not left with a knowledge gap. This also helps employees who are staying on board save time and not have to ask a lot of questions when doing a task that’s been done before.
- Nathalie Lussier, Nathalie Lussier Media Inc.

2. Have Good Noncompete Agreements

Make sure you’ve got a good noncompete agreement and other details in the employee contract that protect your interests. Most importantly, you can make sure you end on good terms to avoid any rash decisions on behalf of the employee. Ever heard the term “an eye for an eye”? Don’t make people feel like you’ve taken something from them, and they won’t feel compelled to take from you.
- Andy Karuza, Brandbuddee

3. Implement Automation

Using an open-source tool such as Chef can automate your entire technology infrastructure, so simple changes can be made instantly, such as removing an employee’s access or locking someone’s resources. Having automation prevents you from manually guessing and changing each resource the former employee had access to.
- Phil Chen, Givit

4. Create Confidentiality Agreements

I think the best way to protect yourself is to set up the processes that will protect you from this risk before there is an event. The best offense is a good defense, and having confidentiality agreements executed by employees when they’re hired mitigates any risk of possible information leaks when someone is fired, and it provides you with possible recourse.
- Bobby Grajewski, Edison Nation Medical

5. Passpack

Using a password storing and sharing system â€" we use Passpack - helps you control access to critical systems and material. If someone leaves, you can update all passwords except that person’s. But if you have employees who you worry will act vindictively, you should step back, and look at how employees are treated and what your personnel processes are.
- Jim Belosic, Pancakes Laboratories/ShortStack

6. Change Passwords

Some easy first steps are to change the passwords for all sensitive logins they had access to and deactivate or blacklist any of their individual accounts. Make sure the network in your office is secured and that no unknown connections are being made.
- Daniel Wesley, Creditloan.com

7. Use Mobile Device Management

I just wrote an article about this, and I stressed a layered security approach and a strategy of always protecting your company’s data, even when it resides on an employee’s mobile device. If you implement this strategy, you can safely wipe your business data without having to resort to awkwardly repossessing devices that may contain your former employee’s personal files.
- Robby Hill, HillSouth

8. Have Predetermined Termination Procedures

When an employee quits or is fired suddenly, you should have operational procedures in place to cut that employee off from any critical company information. In our case, we tie all our access points to an employee’s Google apps email account. This makes it very easy to change that one password and terminate access for that user across our entire organization.
- Liam Martin, Staff.com

9. Use the Cloud

If you aren’t storing information locally, then it is easier to limit employees’ access to systems and information. Within the cloud you can quickly change the password so employees cannot breach your systems. Similarly, you can restrict or eliminate their access to the cloud. Even if they take a work computer, you can prevent them from getting back into anything you don’t want them to have.
- Ty Morse, Songwhale

10. Value Cross Training

The best protection is often prevention, and one great way to prevent sudden loss of institutional knowledge and processes is to make sure everyone participates in and values cross training within departments and sometimes even outside of them. Sudden losses will come, but how you’ve planned for them makes the difference.
- Michael Seiman, CPXi

11. Manage and Secure Passwords

We use LastPass to automatically create, store and share secure passwords across the team. When someone leaves, all you have to do is disable his or her LastPass account, and that person will instantly lose access to every login. It’s also easy to create groups to automatically control who has access to which sites.
- Laura Roeder, LKR Social Media



Should a Small Business Use Indiegogo to Pay Business Debts?

Heck no â€" at least, that’s the conclusion if you want to avoid the kind of stinging backlash one small publishing company got after going on Indiegogo to raise money recently.

Norilana Books, a small publisher, took to Indiegogo to raise money to pay authors the back royalties it owes them.  In some cases the authors have been waiting years for their royalty payments.

On March 14, 2014 the publisher set up a listing on the crowdfunding site seeking to raise $20,927. The Indiegogo listing reads in part:

“I screwed up.  I take full responsibility, and it is all my fault.

The Long Story

I am Vera Nazarian, two-time Nebula Award Nominee author, award-winning artist, publisher of Norilana Books. In 2006 I singlehandedly started a small independent press Norilana Books, with about 300 paper print POD (Print-on-Demand) titles in print, mostly classics of world literature (about 90% of the complete catalog), and a few of my favorite contemporary genre authors… * * *

Things were going well the first few years, and I was promptly and happily paying royalties to all my wonderful authors, and releasing handsome paper print editions of their works in hardcover and trade paperback. And then the economy crashed, while at the same time, a series of personal misfortunes struck.

But this fundraiser is not about me…  It’s about the wonderful Norilana Books authors who need to be paid their long overdue royalties. As months went by and I was struggling just to survive, I was no longer able to pay my authors the royalties owed them.”

The listing went live last Friday.  Within 24 hours the situation had spiraled into a confrontational discussion on a popular publishing industry blog.  It even spilled over on to KBoards.com, a popular forum frequented by authors.  

Within three days after launching the Indiegogo campaign the publisher â€" under pressure â€" shut it down.

But that’s not before hundreds of comments were exchanged online. Many of the people who weighed in are self-employed authors â€" and many of their comments were critical of the publisher.

Some went as far as calling her a thief.

Defend Attacks, Or Rise Above Them?

The owner of the publishing company, Nazarian, jumped into the fray dozens of times to defend herself.  But as one observer noted, she might have been better off not spending so much energy trying.  The defensive comments tended to ratchet up the emotion. They drew more criticism.  A couple of times the KBoards forum moderators had to admonish participants not to get too personal.

Nazarian says that the repayment campaign was misunderstood.  She told us in an email interview:

“This Indiegogo was done entirely for my authors, and with the best of intentions.  I know it is easy to overlook, but this Indigogo was technically a book sale, and every $5 contributed was to be compensated with an ebook â€" one of my own books, which was costing only myself and none of my authors.

Without speaking of any of the dire personal things that happened in my life, and the economy in general, it must be pointed out that my small press (with the bulk of the catalog being public domain classics) was built solely on paper print sales. And with the advent and rise of ebooks the paper sales dried up. Since I firmly believe that authors should retain and control their own digital rights, I have always strongly encouraged all my authors to self-publish their own work in ebook. It is what I am doing now with my own books.

I am actively trying to make things right and have been working to the best of my ability, writing and publishing my own ebooks as a means of getting my income back and repaying all my authors their royalties in full. It is my number one priority.”

Nazarian is not without her supporters.  Some defended her, but they tended to be out-argued by vocal critics.  Some said they liked Nazarian personally but urged her to do “the honorable thing,” and stop selling other authors’ books so as not to make matters worse going forward.

In fact, 15 people contributed a total of $920 toward the Indiegogo campaign in the two days it was live. Clearly some supported the publisher enough to pledge money.

One of Norilana’s authors who hasn’t been paid, and who spoke only on condition of anonymity, still supports Nazarian.  ”I am not happy about not getting paid, but I refuse to kick someone who’s down. She’s trying.”

Nazarian, for her part, says she wants to help her authors. “ These people are my friends, and I will do everything humanly possible to rectify the situation.”

Blurring The Line Between Business and Personal

The publisher in this case is very small â€" essentially a one-person business.  Vera Nazarian started out by publishing her own books.  Later she began publishing books for other authors.  Several years ago she began to run into personal difficulties, with medical problems, an aged parent, foreclosure and personal bankruptcy in the picture.  She admitted that she began to use the money for her living expenses instead of paying the royalties to the authors whose books she published.

So when the recent Indiegogo campaign came to light, the debate dredged up personal details about choices Nazarian had made in her life.  At one point commenters debated Nazarian’s monthly $212 cable TV/internet bill. Some questioned whether it was a reasonable expense, and pointed out how she could save money.  Some suggested that she should work harder and take on cover design work on the side to pay her debts.

Others even questioned whether she was exaggerating her illness … or using it as an excuse.  One person wrote in an anonymous comment:

“NO ONE SHOULD USE CANCER AS AN EXCUSE TO RIP AN AUTHOR OFF. I find this so offensive as a cancer survivor who had to fight through chemo weakness to extract myself from a respected publisher who was using my illness to corner me into a lousy deal that I rank you BENEATH Nigerian bank scammers.” 

It’s hardly surprising to see personal issues brought up.  The publisher admits she used the royalty money for her personal expenses, instead of paying it to the company’s authors.  That opened the door for people to scrutinize her personal situation.

Not a pretty picture.

The Small Business Lessons

The backdrop to all of this is the small business ecosystem, where small businesses tend to do business with other small businesses.  It’s not uncommon for one small business to end up owing money, and the other small business to have a tough time collecting.  Perhaps that’s why this situation was so emotional.  So many entrepreneurs have been on both sides: being owed money, and being challenged to find money to pay the obligations they owe.  

David Vandagriff, an attorney who runs The Passive Voice, the blog where much of the discussion took place, told us, ”This story is, unfortunately, yet another illustration of the importance of really knowing who you’re doing business with. The best contract in the world won’t completely protect you if your partner won’t keep their commitments.”

And what about the owner of that small publishing company?  Nazarian says all contributions in the Indiegogo campaign will be refunded.  She added, “As of now, ALL of my authors’ rights have been reverted â€" many of them had been done so months and years ago â€" and all their books are being returned to them. From April 1, 2014 onward, Norilana Books will only continue to publish my own work and public domain classics. I am happy to help each one of the authors in any way I can in the transition, and to provide them with cover images and interior files free of charge, for their own use.”



You Should Question Assumptions When You Are Successful

It’s easy for small business owners to question assumptions and themselves when they are failing. But at that point, it may be too late to fundamentally make changes that can turn their company around.

The success rate goes up if the owner questions assumptions when things are going well. However, most entrepreneurs will have a hard time doing this because they will not want to “mess with success” or “if it’s not broken, don’t try to fix it.” Many times, they do not even know what the success formula really is. They make cause-and-effect connections where it truly does not exist.

For example, the phenomenon of success actually not bringing more success has been statistically documented in basketball. A study called “The Hot Hand in Basketball: On the Misperception of Random Sequences” states:

“The chances of success on the next shot are not correlated with the success of the last shot. In other words, the ‘hot hand’ idea is a fallacy.”

To increase success in the future, look to see what conditions exist in the market that will make the company profitable now. Evaluate past results, but do not base future actions solely on them. Don’t say, “Well, it worked in the past, so it should work in the future!”

Keep thinking like a start-up entrepreneur as long as possible. This worked for IBM in the early 1980′s when the company moved the work on their new personal computer to a separate business unit so the effort would not be “weighed down” by IBM’s past success in unrelated areas.

A $75M company I know had been in business for 50 years. Historically, they were only able to deliver five percent net profit to the bottom line. Sales had grown slowly over the years, so there was never a need to make any changes since they could predict what they could contribute to the parent company.

A new CEO got worried about what would happened to the company’s profits if sales dipped during a recession. She realized that even a small drop in sales was going to mean disaster for their overall profit contribution. The CEO needed to find ways to cut their expenses or increase their gross profit while not cutting revenue. She was able to do this by throwing out established distribution channel assumptions, cutting discounts for many vendors and raising prices for newer products to their customers.

When sales eventually shrank during the Great Recession, the company was able to deliver the same dollar profit to the parent corporation. Now that times are better, and sales have grown again, they have become even more profitable.

What assumptions are you not questioning?

Assumption Photo via Shutterstock



1 in 3 businesses have no incident response plan

Despite numerous commentators stating that it's now a case of 'when' rather than 'if' businesses are hit by a cyber attack, a new study reveals a third of companies have no incident response plans.

Arbor Networks today announced the results of its survey on incident response, which was carried out by The Economist Intelligence Unit. The firm surveyed 360 senior business leaders, with 73 percent of these being C-level management or board members from various countries across the world. Approximately 31 percent were based in North America with 36 percent and 29 percent coming from Europe and Asia Pacific respectively.

The most alarming statistics from the study were that despite 77 percent of companies confessing to having suffered from some kind of data loss incident in the last two years, over a third (38 percent) of firms still had no incident response plans in place. More worryingly still, just 17 percent of global businesses involved in the study said that they were fully prepared for an ‘online security incident'. However, the study revealed that these companies were typically relying on the IT department and external resources - like IT forensic experts - hinting that there is a possible disconnect with C-level.

James Chambers, senior editor at The Economist Intelligence Unit, said that the study results were positive but warned that incident response needs to take higher priority.

“There is an encouraging trend towards formalising corporate incident response preparations. But with the source and impact of threats becoming harder to predict, executives should make sure that incident response becomes an organisational reflex rather than just a plan pulled down off the shelf,” said Chambers in a prepared statement.

Phil Cracknell, head of security and privacy services at Company 85 and former CISO at TNT Express, Yell Group and Nomura International, told SCMagazineUK.com that the results were indicative of ‘it won't happen to me' attitude.

“It's a belief that it will never happen to them, and because here in the UK you don't see too many execs dragged in front of the press to explain what went wrong; if we did maybe we would see more encouraging figures of readiness,” he told SCMagazineUK via email.

BH Consulting founder and analyst Brian Honan, meanwhile, warned that these problems would continue to arise so long as information security - and incident response - was treated as an IT issue with little effect on business operations.

This problem, he said, is exacerbated by the fact that some boardrooms may not take too kindly to being asked for additional money on top of the spend already issued for protecting the company's computer systems.

“It's quite common for us to come across companies that have no or inadequate incident response plans,” Honan told SCMagazineUK.com in a telephone briefing. “It's a big challenge getting big organisations to invest in incident response - and it's challenging for CISOs. They've got to get the companies to spend on the security to protect the business, and they also need money in case the investments don't work. It can be a hard sell.”

Honan agreed that a disconnect with the C-level, and an ‘it won't happen to us' philosophy can be obstacles in developing adequate incident response plans, and added that there is also an assumption that this is a “techies only” issue. Instead, he says that incident response should also include legal, PR and even HR departments - if an insider is to blame.

Cracknell, like Honan, did have words for encouragement for companies and said that companies need to first go through a data breach to understand how to respond, and formulate their plan.

“Retain experts, have a plan, run a workshop to ask all those awkward questions of the board that you would need in order to make decisions in during a crisis,” he said via email. “Create a series of web holding pages announcing you know an incident occurred, you are sorry for any inconvenience and the matter is being looked into. 

“No news and poor communications will make any incident even worse…You can come out of a crisis and gain credibility if you handle it well.”



GoDaddy Plans to Go Public with an IPO in Second Half 2014

godaddy logo

It’s the brand we all know as the place to buy domain names. And (in the past) it was a brand known for its racy SuperBowl ads featuring girls in tight T-Shirts. But today, GoDaddy is reportedly mulling over plans to file for an IPO, according to the Wall Street Journal.

The paper quoted unnamed sources recently saying the company is interviewing banks to underwrite in an upcoming IPO.

GoDaddy has gone through a transformation in recent years since its leveraged buyout in 2011 for an estimated $2.25 billion.

Under new management, GoDaddy has steadily moved toward serving Main Street small businesses, and distanced itself from the outspoken image developed by its Founder, Bob Parsons.

Companies often signal plans for filing an IPO, but then it takes time to put plans in place â€" sometimes a year or longer â€" before the IPO occurs. Sometimes the plans are scrapped and the IPO never occurs. Because of its 12 million customers, many of whom are small businesses and solo entrepreneurs, this IPO could be an important one for the small business market.

In a conversation with CEO Blake Irving, Venture Beat reports what going public might mean for the company and it’s customers:

“I see a very clear path of how to make GoDaddy the most valued, largest platform for small businesses in the world. It is quite clear that no one is doing it right yet.”

After taking over in 2013 Irving expressed a goal to transform the company into a primary service provider for small business.

In 2012, GoDaddy began its transformation into a suite of small business services by acquiring Outright, an online bookkeeping service.

In August 2013, GoDaddy acquired Locu, a company helping small business owners update their information across numerous sites like Yelp from one location.

In September 2013, the company unveiled a new advertising campaign re-branding the company as a one-stop shop for small businesses including Web hosting, design and a variety of other services.

Last October, GoDaddy acquired Ronin, an online invoicing service for small businesses.

If the IPO plan goes forward, GoDaddy could be looking at a public offering sometime in the second half of this year, the Wall Street Journal reports.

Image: GoDaddy



PCI compliance: The slow road to progress

PCI DSS 3.0 may be on the horizon, but a new study suggests that companies are not only slow in updating, but also approaching compliance in the wrong way.

Verizon's 2014 Compliance report comes ahead of some significant milestones set for the year ahead. PCI DSS turns ten years old, version 2.0 expires on December 31st and, the following day, DSS 3.0 becomes effective, mandatory and validation assessments begin.

But this latest report found that compliance numbers remain in the double digits, at least when judged against the 12 requirements, and revealed that less compliant organisations are more likely to be breached. This is clearly a big trend given the data breaches suffered by Target, Neiman Marcus and Michaels Stores in the US, while a dated report from Nilson last August found that global card fraud losses reached £6 million (US$ 10 billion) in 2012.

Given these aforementioned instances, the Verizon report makes for an eye-opening read. It reveals that just 11.2 percent of organisations passed all 12 PCI 2.0 requirements - up slightly from 7.2 percent the year before - and says that companies are on average compliant with 85.2 percent of controls. Over half (51.1 percent) passed over half of PCI requirements.

The report details the key areas where companies fall down; namely vulnerability scanning, pen testing and auditing of network resources (requirement 11) as well as a tendency to “opt for the cheapest, quickest and most superficial testing that will allow them to ‘check to box'." European companies seemed worse than most, with just 31.3 percent adhering to 80 percent of DSS 2.0 controls, compared to 56 percent in North America and 75 percent in Asia Pacific.

‘Card security can't be a once a year event'

Kim Haverblad, one of the co-authors of the report and Northern Europe Professional Services Manager for PCI Practise at Verizon Enterprise Solutions, told SCMagazineUK.com that improvements are being made - “at least PCI is pushing organisations in the right way” - but concurs with the study that the majority of organisations are going about implementation the wrong way, and often without C-level support.

“A lot of companies lack the proper support for integrating PCI. [They] need to look at this at a much high level, and it's clear that there must be support from C-level.”

Haverblad said that simplified terminology, among other things, had helped companies implement PCI compliance in the “proper way” more recently, but - despite version 3.0 being just 10 months away - claims that further improvements are unlikely so long as businesses approach PCI as a one-off project.

“It should be a continuous operation, not a one-off programme. It's an ongoing project - and it's the only way to survive. Otherwise, [businesses] often start to fall back into old habits and they then need to review the PCI compliance from scratch again.”

Tim Holman (pictured right), CEO of pen testing consultancy 2-sec and president of ISSA UK, went one step further suggesting that companies may never get PCI compliance right.

“There will always be a lack of business focus on PCI DSS Compliance - it's just the way businesses are run,” he told SCMagazineUK.com.  “If you're lucky, you might get a company to focus on PCI DSS for a few months, just to get to an audit-ready state, and sometimes companies learn the hard way, get breached, and are forced to undergo an in-depth PCI DSS analysis.

“Business focus can also be gained by waving a very big stick, but to date, the non-compliance fines issued by the card schemes are peanuts to the larger merchants that can simply afford to absorb these costs - besides the fines are still cheaper than having to gain full PCI DSS Compliance.”

Bob Russo, general manager for the PCI Security Standards Council, and Dell SecureWorks' Gavin Weir agreed with Holman that this type of compliance often comes about on a sporadic basis. In an email exchange with SCMagazineUK.com, Russo urged firms to build PCI into “business as usual” practice - something which is likely be more achievable when version 3.0 goes live.

“These findings, coupled with recent breach incidents, highlight the need for businesses to build security into their ‘business as usual' practices, and the need for a layered approach to securing data - one that focuses on security not compliance,” said Russo.

“Card security can't be a once a year event, when a compliance assessment is due, but rather must be a daily occurrence. The changes introduced with the  latest version of the PCI DSS and PA-DSS (version 3.0) focus on helping organisations do this better by adding increased flexibility in the requirements, and an emphasis on greater education and awareness.

“Ongoing deployment and maintenance of PCI Standards as business-as-usual is the best way to protect payment card data.  

Weir, principal security consultant at Dell SecureWorks, added that too many PCI compliance cases are treated on an annual basis and by project teams that are soon disbanded.

“Project teams are formed but once compliant, the people disappear and everything goes back to business as usual.” He added that this was truer of first time re-assessments, but noted that this method was “still happening” with companies into the third or fourth PCI reassessment.

Verizon too revealed in the report that the PCI problems stem from poor sustainability by organisations.

“Our research also shows that the vast majority of organisations are still not sufficiently mature in their ability to implement and maintain a quality, sustainable PCI Security compliance programme, and they continue to struggle to provide the required compliance evidence at the time of the annual compliance validation assessment,” the report reads.

“There's significant variation across the individual requirements, controls, and sub-controls; as well as across industries and regions. Despite a decade of discussion, clarification, and education, there are fundamental disagreements and misunderstandings around critical areas of security and compliance, including how to define the scope of compliance itself, and how compliance is assessed.

“Some even regard the DSS, even in its latest 3.0 guise, as taking fundamentally the wrong approach to security.”

This is something which struck a cord with Forrester analyst Andrew Rose (pictured left), who believes that PCI compliance can get too hung up on ensuring minimum standards.

“Many times a breach is caused not by a failure to comply with the basic requirements of PCI, but more around a failure of imagination,” he told SCMagazineUK.com.

“The Target breach, for example; I'm sure that would have successfully breached the vast majority of PCI compliant firms.  It's not that the standard is fundamentally flawed, as no formal standard can keep pace with technological change, it's that it's implementation is often too focussed on compliance, and achieving minimum standards of control to achieve compliance rather than seeking real control rigor.”   

“If compliance is all the firm seeks, then 'compliant' is the best they can achieve. If, however, they seek to be secure, then compliance can be a by-product of that.”

QSA issues muddy the water

But aside from calls for continued assessment, C-level input and a need for greater education and integrating security as “business as usual”, there are also calls for greater clarity on the QSA side of things. QSAs -  qualified security assessors - typically work with companies to ensure their PCI compliance is up to scratch.

2-Sec CEO Tim Holman, a QSA himself, admitted that QSA hands are tied when it comes to monitoring businesses.

“As a QSA, we can only assess a limited sample of business systems at a given point in time,” he told SCMagazineUK.com.  We can't go back in time, or forward in time and comment on how a business was run, or how a business will be run, and if we do see a business has "fallen out" of compliance since we last paid a visit then the advice they get from the card schemes is to "make sure they are compliant moving forwards".

“Perhaps if companies were penalised for lapses in compliance then this wouldn't happen, but again, how does one enforce this?  How can you make sure a company is in continual compliance without employing a team of QSAs full-time to sit there and hinder their business?  You can't.  You leave it in the hands of the business to manage their own compliance and the card schemes and banks trust that companies are doing so properly.”

Weir added that some companies often indulge in “QSA hopping”, a dangerous game as some compliance requirements can differ on interpretation.

“Sometimes choosing a QSA becomes a cost issue - choosing the cheapest - but this has not been born out in practise. QSAs can interpret things differently. There are 289 requirements and as many as 30 to 40 of those are subject to interpretation.”

Verizon's report also details that QSAs are unable to provide 100 percent validation because they're assessing a small selected sample -- which are often subject to interpretation.

Espion senior consultant John Hetherton, also a PCI QSA himself, urged QSA to “challenge the data” in order to stop firms from failing to maintain the PCI DSS standard on a continuous basis.

“The role of a PCI QSA is to challenge the data, look for evidence beyond the day of assessment that demonstrates all 12 requirements are adhered to all the time.  In some cases, particularly in larger environments, auditors will recommend periodic health checks to ensure that compliance is being met throughout the year, thereby avoiding a shock come audit time.  While PCI DSS must be achieved by organisations it is equally important to maintain it, a good assessor will advise, consult and promote getting it right.”

Verizon was keen to stress that moves are being made to improve DCI DSS compliance. Indeed, one finding from the study revealed that 60 percent of all companies had met requirement 10 - to track and monitor all access to network resources and cardholder data, up from 39.2 percent in 2012, while DCI DSS 3.0 is expected to herald better tracking of cardholder data, improved authentication and greater awareness of malware threats. The changes should also see stronger enforcement around penetration testing, and better password implementation too.

But reports like these illustrate that PCI DSS compliance is by no means straightforward - or easy.

*SC UK is holding a webinar on PCI security issues in May.  Further details to be announced on the website, newswire and in the magazine.